Pages

▼

Thursday, June 06, 2013

A Nifty Legal Dance

Rachel Levinson-Waldman

Many questions remain about the revelations
that the NSA has been receiving the phone records of all of Verizon’s domestic
customers, almost in real-time, apparently for the past
seven years. Among them are the fact that while it’s the FBI that asked
the secretive Foreign Intelligence Surveillance Court to order Verizon to
provide the records, the leaked FISC
order indicates that all of the data goes the National Security
Agency. [A quick caution: Readers with security clearances who weren’t
permitted to review Wikileaks documents may not want to read the order, as it’s
highly classified.]

So why do the documents go to the NSA? The obvious answer is
that the NSA has the biggest computing and data-crunching capacity around, and
this is a LOT of data. There are some interesting legal quirks that arise from
this bisected approach, though. This post attempts to walk through them – and I
welcome corrections or comments if I’ve gone off-course somewhere.

Let’s start with the order. It was issued under Section
215 of the Patriot Act, also known as the “business records”
provision. Under Section 215, the FBI (and only the FBI) can ask the FISA Court
to issue a secret order requiring a business to produce “any tangible things”
(records, documents, etc.). The application for the order must be supported by
a statement of facts showing that the records are “relevant” to an authorized counterterrorism
or counterintelligence investigation (or an investigation to obtain foreign
intelligence information not concerning a U.S. person, which doesn’t seem
relevant here). So the FBI has to identify a specific investigation to which
these records are relevant, and it must be a predicated investigation, not an
“assessment” (which is the ostensibly low-level but quite intrusive authority
under which the FBI investigated Tamerlan Tsarnaev).

The statute also requires the Attorney General to adopt
minimization procedures (retention and dissemination limitations) for the
materials the FBI receives. This requirement only kicks in, however, when the FBI
receives information in response to the order. And the FBI doesn’t receive this
information: the NSA does.

So that gets us to the NSA. Executive
Order 12333, issued in 1981 by President Reagan, generally governs how intelligence
agencies collect and use information about U.S. persons (citizens and lawful
permanent residents, plus many corporations). EO 12333 seems to authorize
fairly generous collection, retention, and dissemination of U.S. person
information, as long as (among other things) the information is “obtained in
the course of a lawful foreign intelligence, counterintelligence, ... or
international terrorism investigation.” That is, the kind of investigation for
which a section 215 order is available.

Under EO 12333, the head of each intelligence agency must issue
minimization procedures detailing the permissible collection, retention, and
dissemination of information about U.S. persons, including information gathered
during a counterintelligence or counterterrorism investigation, which is
presumably what’s involved here.

For the NSA,
those minimization procedures would be Department of Defense regulation 5240.1-R, which seem to be *more* restrictive than EO
12333. That is, these procedures don't say that any information can be
collected as long as it's relevant to a counterterrorism or counterintelligence
investigation. Instead, they say information can be collected about a U.S.
person only if (1) the information constitutes foreign intelligence (basically
information about foreigners) AND (2) the U.S. persons are "reasonably
believed to be engaged or about to engage, in international terrorist ...
activities." (There are a few other circumstances, which I don't think are
relevant here.) If the information constitutes counterintelligence (information
gathered to protect against various foreign activities) rather than foreign
intelligence, the U.S. persons must be “reasonably believed to be engaged in,
or about to engage in, intelligence activities on behalf of a foreign power, or
international terrorist activities.” So the people whose information is
collected by the NSA need to be actively engaging, or about to be engaged in
something nefarious – they can’t just be vaguely relevant to an investigation.

However, as others
have noted as well, the regulations have a particularly restrictive and
somewhat peculiar definition of collection: “data acquired by electronic means”
is collected ONLY “when it has been processed into intelligible form.” This has
two implications. First, this might be why the FISA order specifically directs
Verizon to send the NSA an electronic
copy of the data: so that the production doesn’t automatically trigger the
“collection” restrictions. (Plus, of course, it would be crazy to ask for a
hard copy.) And second, as long as there’s just a huge data dump sitting there,
unprocessed, the NSA hasn’t “collected” information, and thus doesn’t yet have
to comply with the restrictions of the DOD regulations .

Once the NSA processes it – for instance, by searching for calling
patterns and communities of interest related to people the FBI or NSA
identifies as being “reasonably believed to be engaged in international
terrorist activities” – it's been collected. At that point, though, it’s fine,
because that targeting satisfies the regulation. This would help explain statements
by Senate members implying that the NSA doesn’t do anything with the
information until it gets specific names. (Of course, some of those senators
are also making laughable
pronouncements that information has been collected “only on bad
guys.”)

There’s one problem (and maybe more) with this line of
argument: how does the NSA process ONLY the information it’s searching for? Doesn’t
it have to process a large batch of information in order to conduct the search
within the data, which would then involve collecting more than just the
information permitted by the DOD regulations? The NSA does, though, have to get
around the 5240.1-R collection limitations in some way, since otherwise the
collection of phone data on every single person in the U.S. would seem a wee
bit overbroad. So maybe this legal and technological footwork is the way it
does it – and in the meantime, the FBI has neatly sidestepped its own
minimization obligations by not receiving information under the section 215
order. (Of course, we don’t know what information the NSA is feeding back to the
FBI after it processes the data – but perhaps the FBI argues that at that
point, it’s not receiving information “in response to” the original order.)

There’s one other interesting note. Under EO 12333, the NSA
is required to use the “least intrusive collection technique feasible” where
Americans are concerned. But by the time the NSA comes into play, they’ve got
everything – so the only question is what technique they use to burrow in on the
relevant information, not what they do to capture the whole dataset. The FBI,
which makes the original request, is also required to use the least intrusive
method available, and one would think a FISA Court judge might inquire whether
there’s a very slightly less intrusive method than obtaining the entire
country’s calling information. But conveniently, the Attorney General
Guidelines that Michael Mukasey issued in 2008 add that the FBI “shall not
hesitate to use any lawful method,” as long as it’s warranted, “particularly …
in investigations relating to terrorism.” So the NSA gets to obtain information
in a more intrusive way than it might otherwise be allowed, since the FBI is
the one doing the asking.

Rachel
Levinson-Waldman is Counsel at the Liberty and National Security Program at the
Brennan Center for Justice at NYU Law School. You can reach her by e-mail atrachel.levinson.waldman
at nyu.edu

29 comments:

Perhaps the leak of the FISA Court-authorized Executive branch dragnet of Americans' phone calling data will finally dampen the heated romance the civil liberties community has had with the FISC - albeit a decidedly unrequited romance. If so, perhaps then our legal and political disocurse on government surveillance can finally go in the direction it has always needed to go: the question of government agents' intentions. Here is what I wrote in a January blog post subsequent to the reauthorization of the FISA Amendments Act:

"Last month Congress reauthorized, with the support of President Obama, the 2008 FISA Amendments Act; a law which vastly expanded the government’s ability to wiretap the telephones of U.S. persons. At this point, you are supposed to be accustomed to hearing the words “without a warrant.” But not here.

Unfortunately, those who have led the charge against expanded government wiretap authority since the aforementioned 2005 revelations in The New York Times, have inculcated the extremely dangerous notion among the public that those wiretap warrants are the end all and be all of bulwarks against untoward executive branch meddling in our nation’s political life.

That the court tasked with issuing those warrants, the Foreign Intelligence Surveillance Court, is both secret and non-adversarial – meaning there is no one there to counter a government agent’s claim that a U.S. citizen needs to be wiretapped in the first place – was of shockingly little significance, and largely still is, for those involved in the FISA debate. So long as the FISA court issues specific wiretap warrants for each case, the court’s ardent defenders implied, it will protect U.S. citizens from politically-motivated government officials who want to conduct surveillance on their political enemies.

These ardent defenders of the FISA court had absolutely no basis on which to make that claim, since the court is entirely secret. For example, the last time the ACLU attempted to persuade the FISA court to make public their legal rationales for authorizing wiretaps of Americans, the FISA court told ACLU where to stick it, and Congress flatly rejected amendments the reauthorization of the FISA Amendments Act to do just that." (The whole blog post can be read here: http://www.tikkun.org/tikkundaily/2013/01/19/aaron-swartz-and-other-victims-of-government-persecution/

We can only hope, in the wake of this most recent revelation of FISC-approved phone data mining, that traditional civil libertarians will stop clinging to the 1970s Disco-era notion that the FISC as a stand-alone court is a sufficient instrument to achieve proper balance between national security and government non-interence in the political life and thought of the American people.

What we need is a constitutional remedy that would allow Congress to expand the portfolio of the Judiciary to encompass the removal of unelected, unconfirmed civil servants. See Section 5 of the proposed amendment here: http://tyrannydissolution.wordpress.com/about/

NSA appears to be going beyond the original Bush program of targeting enemy phone numbers and applying a search algorithm to calls six to seven layers beyond that number looking for patterns and relationships.

Subpoenaing the metadata for all telecommunications moving through the United States (which includes a large part of the world traveling through our trunks) suggests that NSA is now applying their search algorithms to the metadata at large to identify terrorist cells.

So long as NSA seeks warrants when necessary to listen or read telecommunications content, they are probably within the law.

The question this expansion of surveillance power begs is how to ensure that NSA's personnel stay within the law and do not go rogue like IRS targeting the political opponents of the President in the press and among the citizenry while maintaining operational security?

"The question this expansion of surveillance power begs is how to ensure that NSA's personnel stay within the law and do not go rogue like IRS targeting the political opponents of the President in the press and among the citizenry while maintaining operational security?"

Indeed, how do you propose this be accomplished? IIRC you think FISA is unconstitutional and the Executive has inherent powers as the CiC during wartime to do this sort of thing...

ABC's Matt Dowd imagined this apology letter from President Obama to his predecessor if Obama was capable of being honest or apologizing: https://thecitizenpamphleteer.wordpress.com/2011/05/15/of-government-spending-and-economic-recoveries/

"I would suggest an overall intelligence IG which randomly assigned agents changing every year to review in detail each program."

I've occasionally suggested that we ought to do something similar with election administration: Have a sort of "election corps", where people get assigned randomly to precincts in order to thwart the sort of coordination you get when everybody administering the election in a precinct is a member of the same party, and knows each other.

"I would suggest an overall intelligence IG which randomly assigned agents changing every year to review in detail each program...Then make intentional targeting of American citizens for improper reasons a major felony."

Wait a minute.

If the President as CiC has inherent powers in wartime to collect intelligence then how can there be such a statute directing the Executive's intelligence collection in wartime? Don't you think FISA is unconstitutional for these reasons?

"Congress has the power to create departments and IGs do not direct anything."

But you said we should "make intentional targeting of American citizens for improper reasons a major felony." That would mean at the least a statute from Congress covering intelligence gathering defining certain activities as improper, and the IG would investigate the activity of the Executive to see if they were following those measures.